From 8f70f98640a1f71b85b509f313aba4a65829eaa7 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Tue, 23 Aug 2022 13:52:42 -0500 Subject: [PATCH] wolfcrypt/src/asn.c: refactor _SMALL_STACK code path in ParseCRL_Extensions() to fix memory leaks and heap-use-after-free. --- wolfcrypt/src/asn.c | 42 ++++++++++++++++++++---------------------- 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 8a893ba66..6931444a3 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -35019,46 +35019,44 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, } else { if (length > 1) { - #ifdef WOLFSSL_SMALL_STACK - mp_int* m; - #else - mp_int m[1]; - #endif int i; - #ifdef WOLFSSL_SMALL_STACK - m = (mp_int*)XMALLOC(sizeof(*m), NULL, + mp_int* m = (mp_int*)XMALLOC(sizeof(*m), NULL, DYNAMIC_TYPE_BIGINT); if (m == NULL) { return MEMORY_E; } + #else + mp_int m[1]; #endif + if (mp_init(m) != MP_OKAY) { - return MP_INIT_E; + ret = MP_INIT_E; } - ret = mp_read_unsigned_bin(m, buf + idx, length); - if (ret != MP_OKAY) { - mp_free(m); - #ifdef WOLFSSL_SMALL_STACK - XFREE(m, NULL, DYNAMIC_TYPE_BIGINT); - #endif - return BUFFER_E; - } + if (ret == 0) + ret = mp_read_unsigned_bin(m, buf + idx, length); + if (ret != MP_OKAY) + ret = BUFFER_E; - dcrl->crlNumber = 0; - for (i = 0; i < (*m).used; ++i) { - if (i > (int)sizeof(word32)) { + if (ret == 0) { + dcrl->crlNumber = 0; + for (i = 0; i < (*m).used; ++i) { + if (i > (int)sizeof(word32)) { break; + } + dcrl->crlNumber |= ((word32)(*m).dp[i]) << + (DIGIT_BIT * i); } - dcrl->crlNumber |= ((word32)(*m).dp[i]) << - (DIGIT_BIT * i); } + mp_free(m); #ifdef WOLFSSL_SMALL_STACK XFREE(m, NULL, DYNAMIC_TYPE_BIGINT); #endif - mp_free(m); + + if (ret != 0) + return ret; } else { dcrl->crlNumber = buf[idx];